Finding v6 hosts by efficiently mapping

A technique for quickly finding existing reverse (PTR) entries in zones occurred to me recently. A cursory internet search reveals little about the subject, suggesting nobody else may have connected these dots before. So, I wrote a rudimentary tool to test the idea. Results: AWESOME. One tested /48 containing, apparently, 737 reverse PTRs, was fully scanned with just 14785 queries.

The method is best explained using an example. This example uses the IPv6 Address Prefix Reserved for Documentation.

Let’s assume that within 2001:DB8::/32 there is 2001:DB8:80::/48 which has reverse DNS hosted in a zone called

Now, given the zone name (let’s call it X to be slightly easier on the eyes), we can query 0.X, 1.X, 2.X etc. up to and including f.X. Most of these queries will return an NXDOMAIN rcode; this means the name does not exist, but very importantly, this can usually be construed to mean that no longer name exists either. Suppose that in this case, two of the names (0.X and f.X) do not return NXDOMAIN – instead they return NOERROR. This means the nameserver has a reason to not deny existence, and in this case, that reason is that a longer name exists.

We tested 16 prefixes of X and have rejected 14 due to NXDOMAIN; by that, we have reduced our search space from a full /48 to 1/8th of a /52 – a 128-fold reduction with just 16 queries. This trend continues at every step.

Note that whether this works depends on how a nameserver handles requests for these shortened names (the technical term is ‘empty non-terminals’). BIND and NSD return NOERROR and NXDOMAIN as described above; tinydns and PowerDNS in most setups will not.

As said above, I could not find any previous work applying this feature of DNS to the mapping of reverse zones. If you do know of anything, let me know and I will update this post.

Please read my followup post.